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ABSTRACT 

What obstructs the realization of useful quantum cryptography is single photon scheme, or entanglement 
which is not applicable to the current infrastructure of optical communication network. We are concerned 
with the following question: Can we realize the information theoretically secure symmetric key cipher under 
"the finite secret key" based on quantum-optical communications? A role of quantum information theory 
is to give an answer for such a question. As an answer for the question, a new quantum cryptography was 
proposed by H.P.Yuen, which can realize a secure symmetric key cipher with high speeds(Gbps) and for long 
distance(1000 Km). Although some researchers claim that Yuen protocol(Y-OO) is equivalent to the classical 
cryptography, they are all mistaken. Indeed it has no classical analogue, and also provides a generalization 
even in the conventional cryptography. 

At present, it is proved that a basic model of Y-00 has at least the security such as H(X\Ye) = H(K\Ye) = 
H(K), H(K\Ye, X) ~ under the average photon number per signal light pulse:< n >^ 10000. Towards 
our final goal, in this paper, we clarify a role of classical randomness (secret key) and quantum randomness in 
Y-00, and give a rigorous quantum mechanical interpretation of the security, showing an analysis of quantum 
collective attack. 
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1. INTRODUCTION 

In 1984, Bennett and Brassard[l] gave an impact to the field of cryptography by showing a new protocol based 
on quantum mechanics so called BB-84. It is well known that they opened not only a new scientific subject, 
but also called attention of quantum information scientists and theorists of cryptography to information 
theoretic cipher again. We are concerned with further development of information theoretic cipher based on 
quantum cryptography initiated by BB-84. 

Let us describe, first, a story of unconditional security based on the standard text book. Many works 
on protocol with unconditional security have been already discussed in journals of information theory. The 
definition of perfect secrecy is I{X; C) = 0. It means that the plaintext X and the cipher text C as a function 
of X and a secret key K should be statistically independent. However, in this discussion Eve has access to 
precisely the same information as the legitimate users. As a result, the condition: H(X) < H(K) is required 
for the perfect secrecy. It means that perfect secrecy is achieved only when the secret key is at least as long 
as the plaintext message. However, such a pessimism may be solved by introducing the modified Shannon's 
model such that Eve cannot receive precisely the same information as Bob. In general, there are conditions 
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to realize the perfect secrecy. If we have no condition for it even under any physical laws, then the scheme is 
called unconditionally secure. 

First, in order to seek a perfect secrecy, an information theoretic cipher for noisy channel was discussed. 
For general discussions, a channel model of secure communication by conventional information theory is 
defined. That is, we have two channels. One is a channel from Alice to Bob, and the other is from Alice to 
Eve. Let X, Y, Z be random variables of Alice, Bob, and Eve, respectively. Channels are completely specified 
by the conditional probability P(Y, Z\X). A confidential communication without key under such a concept 
was given by Wyner and et al, and it is called information theoretic cipher. As an example, Wyner[2] clarified a 
fact that one can realize a scheme with unconditional security in which Eve is assumed to receive signals from 
Alice over a channel that is noisier than the legitimate users. Subsequently Csiszar-K6rner[3] generalized 
Wyner's result. These schemes allow us to realize one way communication with confidential message X 
without initial key, and also distribution of key K . However, the assumption that Eve's channel is worse 
than the legitimate channel is also unrealistic. When the discussion is devoted only to the problem of key 
distribution, Maurer[4] pointed out that this assumption is not needed if the legitimate users can communicate 
over insecure but authenticated public channel like BB-84. Unfortunately, the efficiency of communication 
is not so good. In addition, in such information theoretical results, the problem of finding actual encodable 
and decodable codes that perform in a particular situation was remained. Thus the unconditionally secure 
key distribution requires neither single photon communication nor even quantum phenomena. These results 
verified that the key distribution with unconditional security is not proper issue of quantum theory. So one 
can realize unconditionally secure scheme by classical communication systems if there exist unavoidable noise 
such as "thermal noise in free space" and so on. In addition, H(X) < H(K) is not essential. However, 
in principle, if any noises in the system are removable, then one exactly needs quantum mechanical law to 
realize unconditional security. In any situations, the most important concept is of an advantage distillation 
or advantage creation. 

On the other hand, there is cryptography based on another criterion, so called " computational complexity 
based security". Symmetric key cipher and public key cipher belong to this category. In the conventional 
cryptography, there is no encryption scheme with provable security in the sense of information theoretic 
security for ciphertext only attack and known plaintext attack on key, because the security comes from only 
key uncertainty. One of the methods to provide "provable security" may be quantum cryptography. There 
are many directions for further development, but it depends on personal fancy, for example, 

(i) quantum key generation with unconditional security 

(ii) direct encryption by quantum key distribution and one time pad 

(iii) quantum symmetric key cipher with information theoretic security 

Even in any purpose, they will be not accepted in the real world if they have no efficiency So the ultimate 
new cryptography should satisfy both security and efficiency requirements. We are concerned with 
third category under the following conditions: 

(i) Eve has the computer with unlimited computation power 

(ii) Eve has unlimited physical resource 

One candidate for the realization is to use noisy channel governed by unavoidable quantum noise. Yuen 
raised a question: "Is it possible to create a quantum system with current technology that could provide a 
communication in which always Bob's error probability is superior to that of Eve?", and in 2000, he gave a 
protocol(Y-OO) to realize it as a positive answer[5,6], in which he proposed a new scheme with M-ary quantum 
state modulation. In fact, this provides a new basis to communication with confidential message even in the 
conventional cryptography. 

In this paper, to reveal an excellent potential of Y-00, we shall give a rigorous interpretation of security 
principle of Y-00. 



2. BASIS OF QUANTUM COMMUNICATION FOR QUANTUM 
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In any quantum cryptography such as BB-84, B-92, E-91, and Y-00, the information is classical bit, not 
quantum information. That is, the information is true random number for key distribution, and plaintext 
for direct encryption. The essential assumption in quantum communication for classical information is that 
quantum states are known for the legitimate users. So classical bits are mapped into a set of known quantum 
states. They are transmitted passing through a completely positive map(cp-map), and discriminated by 
quantum measurement process described by positive operator valued measure(POVM). Then, a receiver gets 
classical bits as information by measurements. Such a model is called Helstrom/Holevo/Yuen formalism for 
quantum communication[7,8]. Let us give a brief introduction. An information source and output in the 
quantum communication model are described by a density operator for ensemble of quantum states which 
conveys classical information as follows: 

PTin = ^PiPi, PTout = y^^p t e(pi), (1) 

where i is an index corresponding to symbol as classical information, and e is a cp-map. The discrimination 
among quantum states at the output of the channel is described by POVM. 

n,>o, ^n,=/, (2) 

where / is an unit operator. Then a conditional probability for each trial of the measurement is given by 

P(j\i) = Tre( Pl )U,. (3) 

The minimization problem of the average error probability based on the above equation is called quantum 
detection theory, which is a fundamental formalism in quantum information science. 

P e = min{l - ^^Tre^nj (4) 

The complete theory has been given by Helstrom/Holevo/Yuen. As a result, we have [7,8] 

Theorem 1: Signals with non-orthogonal states cannot be distinguished without error and optimum lower 

bounds for error rate exist. 

This means that if we assign non-orthogonal states for bit values 1 and 0, then one cannot distinguish 1 
and without error. When the error probability is 1/2, there is no way to distinguish them. The most 
important cp-map(communication channel) in the real world is energy loss channel with 20 <~ lOOdB loss. A 
selection of input quantum states for the channel is one of interesting problems in quantum communications, 
but we have the following result [9]. 

Theorem 2: The input state which keeps pure state passing through energy loss channel is only coherent state. 

So we can understand that a desirable state is coherent state. In fact, the ultimate information trans- 
mission for such a model is discussed by Holevo capacity theory, and the ultimate capacity formula is well 
known Holcvo/Schumacher/Westmorland theorem[10] as channel coding theorem. The Holevo capacity for 
energy loss channel, which gives the ultimate efficiency for quantum communication by quantum states, has 
the following quantitative property[ll,12]. 

Ch = XH(coherent) > xnisqueezed : lmode) » xnisqueezed : 2modes) » xni^photon) (5) 

where xh is Holevo function. So any states except for coherent state are out of the scope for communications 
at present. Thus single photon state, squeezed state, entangled state, and so on arc not useful in the real 
infrastructure of communication. 

On the other hand, in the quantum communication model for quantum cryptography, we have to consider 
two channels of Alice to Bob, and Alice to Eve. Let us describe them by €ab, zae- In general, €ae is ideal 



channel while eab is noisy channel. The basic performance of cryptography is to prevent a leak of secret 
information from channel of legitimate users. In a physical cryptography like quantum cryptography, one 
may take a method to eliminate Eve's information obtained by her measurement from cae- In order to 
realize such a situation, one needs "advantage distillation" under the ultimate physical law. It means that 
the defects of Bob can be got rid of by some processing, while the performance of Eve, who has the unlimited 
power of computer and physical resources, is superior than that of Bob in the original situation. 

Thus, when we take into account two criteria: efficiency and security as requirement to quantum commu- 
nication for quantum cryptography, the most preferable state is mesoscopic coherent state. Even in BB-84, 
there are many proposals for realization based on mesoscopic coherent state[13] which are very welcome. 

3. YUEN PROTOCOL(Y-OO) BY COHERENT STATE 

3.1. Unification of symmetric key cipher and information theoretic cipher 

Our purpose is to devise a cipher with an information theoretic security, which prevents Eve from finding the 
unique data or key even with unlimited computation power. 

A symmetric key cipher is a scheme that Alice and Bob share a secret key. A block cipher and a part of 
stream ciphers belong to this category. However, they are in principle insecure, because the security is given 
by only key uncertainty. In addition, a secure communication by "one way scheme" in information theoretic 
cipher requires a situation that the channel between Alice and Eve is very noisy, but that of Alice and Bob 
is a normal communication. It is unrealistic. On the other hand, there are generalized stream ciphers which 
are designed by information theoretic approach and randomized approach proposed by C.Schnorr, Cachin, 
Maurer, and Diffie[14]. However, they have some conditions. For examples, C.Schnorr's stream cipher is that 
Eve can access only limited number of ciphcrtexts, Cachin-Maurer's cipher works under the assumption of 
limited memory capacity [14]. These generalized stream ciphers give a hint to devise a symmetric key cipher 
with information theoretic security, because our problem is to realize secure communication by a symmetric 
key cipher. So our purpose may be achieved if and only if one can unify symmetric key cipher (especially 
generalized stream cipher) and information theoretic cipher. 

We shall show how this unification is done. According to a quantum detection theory we have the following 
properties for average error probability: 

P e (BP) < P e (BM) , P e (BP) < P e (MP) (6) 

where BP, BM, MP mean binary pure state, binary mixed state, and M-ary pure state, respectively. The 
problem is how to apply the above principle of quantum detection theory to cryptography. Yuen proposed a 
protocol which combines a shared secret key for the legitimate users and specific quantum state modulation 
scheme. A main idea of this protocol is the explicit use of a shared secret key and physical nature of noise 
for cryptographic objective of secure communication and key generation. This is called initial shared key 
advantage in noisy channel. By this advantage, the legitimate users can establish "advantage distillation" or 
"advantage creation" under the finite size for any parameters of the protocol in noisy channel. As a result, 
one can see "a basic principle to guarantee the security " as follows [6]: 

Principle of security : The optimum quantum measurements with key and without key have different 
performance. 

Unknown key corresponds to classical randomness. The security of the conventional symmetric key cipher 
comes from this classical randomness. However, in Yuen protocol, a classical randomness is used to make a 
difference of the performance of quantum measurements. It means that if Eve does not know the key, then 
the quantum limitation of her measurement is enhanced by classical randomness. As a result, Eve has to 
search the data or key based on her measurement results with unavoidable error. Thus, in general, although 
a symmetric key cipher belongs to the class of ciphers of computational complexity based security, by this 



principle one can realize a symmetric key cipher with information theoretic security. It will be instructive to 
compare the concept of Yuen, Schnorr, and Cachin. 

(i) Yuen: Eve's data on plaintext or key has unavoidable error without any conditions for Eve. 

(ii) Schnorr: It works under the condition that Eve can get only limited number of exact cihertext. 

(iii) Cachin-Maurcr: It works under the condition that Eve can use only limited memory capacity. 

For explanation of this principle, Yuen gave a simple example without any design as follows: If Eve wants 
to know some information on the data bits, she has to measure the signals by any instrument. In Y-00 of 
the original model, the problem of the measurement ability reduces to the comparison with optimum binary 
quantum measurement and optimum phase measurement. Since Eve does not know K, she needs to make the 
phase estimation in order to identify data X for all possible basis selection from the running key. According 
to the quantum detection theory when Eve and Bob have the ultimate ability (ultimate receiver devices, and 
so on), their error probabilities are shown for binary signals with key and without key as follows [6]: 

P e B ~ exp(-4S') vs P e E ~ exp(-2S) (7) 

where S =< n > is signal energy. Thus the error probability of Bob is smaller than that of Eve. This 
fact gives an advantage distillation under the ultimate physical law, so it leads to unconditionally secure key 
generation for the any key length of the initial key and also it gives a basis for information theoretically secure 
direct encryption. The above example is not a scheme what we use as a practical quantum cryptography. 
Only it shows a principle. For practical use, we need several additional contrivances. The essential problem 
is that how to extend the above principle towards practical quantum cryptography. Yuen has suggested the 
following directions, showing the more general unification theory as KCQ[6]. 

(i) Direct encryption: quantum stream cipher( or arj scheme) as a randomized cipher by quantum noise. 

(ii) Key generation: generalized Y-00 based on coherent pulse position modulation and so on. 

The key point is a role of the classical randomness for quantum cryptography. A first idea for use of 
classical randomness was proposed as follows. We assume that Alice and Bob share a secret key K. The 
key is stretched by a pseudo random number generator to K'. The data bit is modulated by M-ary keying 
driven by random decimal number generated from the block :K'/logM = K' = (k\, k 2 , . . .) of pseudo random 
number with the seed key K. The M-ary keying has M different basis based on 2M coherent states. So the 
data bit is mapped into one of 2M coherent states randomly, but of course its modulation map has a definite 
relationship based on key, which is opened. This is a fundamental structure of Y-00[15]. We shall describe a 
feature of Y-00 by the most simple way in the following sections. 

3.2. Quantum stream cipher and the security 

An application of Y-00 is, first, direct data encryption like a stream cipher in the conventional cryptography. 
We call the symmetric key cipher based on Y-00 protocol "quantum stream cipher" or arj scheme[15,16,17]. 
Here it is reasonable that we employ different security criteria for direct encryption and key generation. For 
direct encryption, the criteria are given as follows. 

(i) Ciphcrtcxt-only attack(CTOA) on data and on key: To get plaintext or key, Eve knows only the 
ciphertext from her measurement. 

(ii) Known/chosen plaintext attack(KTA): To get key, Eve inserts her known or chosen plaintext data into 
modulation system( for example, inserts all sequence as plaintext in a period). Then Eve tries to 
determine key from input-output. Using the key, Eve can determine the data from the ciphertext. 



(iii) Repetition attack: Since the secret key is fixed, it has a period. Eve can apply CTOA and KTA over 
many periods when the key is reuse. 

In order to use effectively the principle of security, quantum noise effect should be enhanced by a classical 
randomness. So Alice and Bob in Y-00 share a secret key K. The key is stretched by a linear feedback shift 
register:LFSR as a pseudo random number generator to K' . The length of the initial key is \K\ = 100 <~ 1000, 
and the length of the running key is \K'\ <~ 2' x '. The data bit is modulated by M-ary keying driven by 
random decimal number generated from the block :K' / log 2 M = K' = (k\, fe, . . .) of pseudo random number 
with the seed secret key K . The M-ary keying has M different basis based on 2M coherent states. So the 
data bit is mapped into one of 2M coherent states randomly. A quantum state sequence emitted from the 
transmitter is as follows: 

|*> = |ai>i|a J ->2|afc>3..- (8) 

where \oti) is one of 2M coherent states, and i, j, k e M = (1 ~ 2M). This sequence is one sequence in a set 
of the F sequences: 

F= (2M) 2 '*'/ lo fe M (9) 

That is, the density operator of Eve is 

F i 

Pr = £pl*'X*'l ( 10 ) 
i=i 

The processing to break Y-00 is done by physical measurements of quantum state sequences. So we have 
to take not only Eve's power of computation but also ability of physical implementation into account. We 
describe several physical attacks on Y-00 in the following sections. 

3.2.1. Method of quantum optimum measurement 

(A) Quantum individual processing 

All quantum state sequences have certain amounts of correlations from PRN as running key, because the 
running key is not a true random number. Let us assume that Eve employs individual quantum measurement 
for each state in the sequence, and classical processing for measurement results. If the state is orthogonal 
states, then Eve can get ciphertext without error. So the security comes from only the key uncertainty as 
classical randomness. However, in Y-00, M-ary scheme provides a set of non-orthogonal states. Let us see 
what is the principle of security of Y-00. By introducing the classical randomness by secret key and pseudo 
random number generator, the performances of quantum measurements become as follows: 

(i) Ciphcrtcxt-only attack on data: quantum detection is binary pure state signals for Bob, and binary 
mixed states for Eve. 

(ii) Known/chosen plaintext attack, and Ciphertext-only attack on key: quantum detection is binary pure 
signals for Bob, and M-ary pure states for Eve. 

That is, the limitation for accuracy of measurement of Bob is given by Helstrom bound as follows [7]: 

P e = l/2min(TrpiIIo +Trp Il 1 ) < 1 (11) 

On the other hand, Eve does not know the key and running key. So her density operators for information 
bits become "mixed state". For example, in the case of ciphertext only quantum individual attack, they are 



Po =^2<lj\®j)(oij\, Pi = £<7fcK)(afc| 



(12) 



The probability pi depends on the statistics of the data, and qj , qk depend on the pseudo random number 
with j, and k being even and odd number. Eve has to extract the data from the quantum system with mixed 
states, and her error probability is also given by Helstrom bound for mixed states. 

P e = mm{ Pl Tr Pl U + PaTrp^ ) ~ 1 (13) 

Thus, the error probability of Eve becomes 1/2 from the appropriate choice of the number M, signal energy, 
and overlap selection keying(OSK)[17, 18]. It means that Eve's data Ye is completely inaccurate. This is 
equivalent to one time pad[17]. 

On the ciphertext only attack on key and known/chosen plaintext attack, the best way for Eve is to 
detect M basis based on 2M coherent states. In this case, the limitation for accuracy of Eve's data is also 
given by the minimax quantum detection[19] of 2M pure coherent states for ciphertext only attack on key, 
and M for known/chosen plaintext attack on key. As a result, the measured data on the running key involve 
unavoidable error given by 

P e = maxmin(l - V Vl Tr Pi Vn) (14) 
Pi n z — ' 

For the basic model of Y-00, the above formula gives P e = 0.975 when 2M = 2047, < n >= 100, and 
P e = 0.755 when 2M = 2047, < n >= 10000[20,21]. 

(B) Quantum collective processing 

Here we are concerned with known/chosen plaintext attack. Let us assume a very strong condition. That is, 
Eve can inserts all zero bit sequence as the full length plaintext in one period. In order to clarify the essential 
point, we first neglect the PRNG, and we employ only an initial secret key with length \K\ which is selected 
from a true random number. The initial key is divided by log 2 M, and the number of slot is L — \K\/ log 2 M. 
For known/chosen plaintext attack, the number of quantum states for Eve are M. So the total number of 
sequences is M\ K \/ log 2 M = 2^1. Eve can measure directly the state sequences by means of the collective 
measurement scheme in order to get the key. The density operators and her detection operators are described 
on a tensor product Hilbert space of L = \K\/\og 2 M. That is, 

Pn = Ph ® Pi 2 ® Pi 3 ® • • ■ (15) 
Pn = PhPi 2 Pi 3 ■ ■ ■ (16) 

where i = (1,2, ...M), p n e U® h , and II n > 0,X;n n = ®I U and where n is {1, 2, . . . 2\ K \}. Then we have 
the following problem. 

minmaxP e = minmax(l — ^^PnTrpnlln) (17) 
Fortunately, we can prove the following theorem. 

Theorem 3. The optimum measurement of the collective quantum measurement for all sequences is in- 
dividual quantum measurement for all slots: 

n n = n 41 ® n J2 <g> n l3 ® . . . (18) 

and the success probability is 

Pd = CZ,P^Trp^n ^ ) L (19) 

If the quantum states are orthogonal, then the success probability is 1, and Eve gets exact key by known 
plaintext attack in the first period. However, we can design Pd << 1 by using coherent states. So Y-00 has 
a potential to achieve H(K \Ye, X) > 0. 

Here we shall discuss a situation of the out of framework of the cryptanalysis, but it is interesting problem. 
Since the key is fixed in Y-00, there is a period at 2\ K \/\og 2 M bits. Let us assume that Eve can get the 



transmitter and try many times known/chosen full length plaintext attack. As a result, she can try J times 
known/chosen full length plaintext attack. The success probability is 

P D = 1-(1-P D ) J (20) 

Thus, to determine the true key uniquely, she needs the infinite trial when Pd << 1. In the case of Y-00 
using PRNG, the situation is complicated, but the essential point may be the same one. 

3.2.2. Method of collective measurement with all key 

Since the length of PRN is 2^ K \ the transmitter can send 2^1 / log 2 M bits in the first communication. Eve 
can insert her known/chosen plaintext into transmitter and measure the quantum state sequences by quantum 
receivers with all kinds of key. If Eve wants to get the true key, then Eve needs 2^ K ' copies. But it is not 
allowed by no cloning theorem. Although Eve can try a beam splitter attack so called Lo-Ko attack, it has 
been shown that this attack does not work[6, 17], and it has no effect for the security analysis. 

Let us discuss collective unambiguous quantum measurement attack. Eve can insert her known plaintext 
into the data port of the transmitter. She can prepare the unambiguous state discrimination: II un which can 
apply to 2l* quantum state sequences. One of quantum state sequences of the set is transmitted from Alice. 
Eve will measure it by her unambiguous measurement. The success probability is evaluated by an exact 
calculation and also the following theorem. 

Theorem 4. The upper bound of average success probability in unambiguous measurement is given by the 
quantum optimum solution in quantum detection theory for the same state ensemble. 

The unambiguous state discrimination(USD) for M symmetric coherent states is formulated by A.Chcfics 
and S.M.Barnctt[22], and S.J. van Enk[23]. The success probability is given by the following formula. 

P D = N min \c k \ 2 (21) 

fe=l,2,3,...,JV 

where 

1 N 

l Cfe | 2 = a? E e^/^eH 2 ^ 7 ""!) (22) 

In fact, in the case of individual measurement, the unambiguous state discrimination(USD) on M=2000 
symmetric coherent states with (< n >— 10000) is 

P D (USD) ~ 3xl0~ 12 < 5xl0~ 4 = < P D (Bayes) ~ 2xl0 _1 (23) 

In addition, the success probability for collective USD is given by 

P D (USD) < 2-1*1 < P D (Bayes) (24) 

That is, the probability is less than that pure guessing. 

Let us discuss again the known/chosen full length plaintext attack of unlimited repetition, though this is 
impractical. At the first trial, Eve measures the quantum state sequence by quantum collective measurement 
with the key K\, at the second trial, Eve measures with K2, and so on. She knows the plaintext. So when 
the output is the plaintext, the measurement has the true key. Thus, in order that Eve gets the true key, she 
needs 21*1 times known/chosen plaintext attack based on a full bit length 2l*l/log 2 M. This may be only 
one method to break Y-00. However, if the legitimate users change the key sometimes as usual(for example, 
once a year), then this attack has no meanings. This type of discussion belongs to a key management. If Y-00 
cannot be broken by any methods except for the above situation, then Y-00 is indeed the ultimate cipher. 



3.2.3. General properties 

The basis of the security is a combination of key uncertainty(classical randomness) and quantum noise. A 
role of classical randomness: secret key (or running key) is to make a difference of quantum 
measurement performance. Thus, we can say that Y-00 is a randomized encryption cipher with no loss 
of bandwidth and with high speed randomization done by quantum noise of coherent state. However, we 
should emphasize that an appropriate design is necessary to realize meaningful security. 

In the conventional theory, we have H(X\Ye, Rm) < H(K) known as Shannon bound for ciphertext only 
attack on data, and H(K\Ye, Rm) > for ciphertext only attack on key which is relevant with "unicity 
distance", where X is data sequence, Ye is Eve's data, and Rm is public mathematical randomization, 
respectively. In addition, for known/chosen plaintext attack, we have H(K\X, Ye, Rm) — which means a 
computational complexity based security. 

However, our goal is to show the following performance. In the cipher-text only attack on data, Y-00 may 
exceed the classical Shannon limit in the cryptography, even we use a system with H{K) « H{X). That 
is, 

H(X\Y E , Rm, Rp) > H(K) (25) 

where X is information data, Ye is ciphertext which is "measured value" of Eve, Rp is physical randomization, 
and K is initial secret key. For known/chosen plaintext attack, Y-00 has 

H(K\Y E ,R M ,Rp,X)>0 (26) 

which corresponds to information theoretic security. If one has H(K\Ye, Rm, Rp, X) = H(K), then it is 
perfect key security. These are not realized by the conventional symmetric key cipher. It means that Y-00 has 
a potential to break the limitation of the conventional cryptography theory based on quantum communication 
theory. The proof for the general attacks will be shown in the subsequent papers based on the results in this 
paper. 

3.3. Quantum key generation 

Y-00 is also applicable to key generation. Let us introduce its basic concept. In this case, data is a true 
random number sequence. So there is no criterion like known plaintext attack. The use of shared secret 
key between Alice and Bob that determine the quantum states generated for the data bit sequences in a 
detection/coding scheme gives them a better error performance over Eve who does not know K. Based on 
the this principle, the general conditions for key generation were discussed by Yucn[6]. As a result, the 
condition for secure key generation is 

H(X A \Y E ,K)> H(X A \Y B ) (27) 

where Yb is Bob's observation with knowledge of the seed key. A concrete implementation is coherent pulse 
position modulation scheme [6]. 

4. SIGNAL DESIGN FOR EXPERIMENTS 

In the phase modulation scheme(PSK), the coherent states are described by positions on a circle in the phase 
space representation. The radius corresponds to the amplitude or average photon number per pulse at the 
transmitter. The positions on the circle correspond to phase information of the light wave. If the number 
of basis is M, then the signal distance between neighbor states is about Apm = ■ ^he uncertainty of 
coherent state is described by two dimensional Gaussian distribution with mean= |a| and variance^ 1/4. In 
the practical sense, we can design the number of basis which satisfies 



P e (i, i + 1) = 1 - — L / exp(-t 2 /2)dt = 0.2 - 0.5 
2 V27T Jo 



(28) 



where to = Apm/2 = This corresponds to the error probability between neighbor states. But it is 

not real error probability for Eve. The real error probability of Eve depends on her strategy and quantum 
measurement scheme. On the other hand, for amplitude or intensity modulation schcme(ASK), the conditions 
for parameters are A am = ^"""m""" » *o = A^m/2, and |a m m| 2 > ^, where k is efficiency of permeability 
of attenuation channel. 

5. CONCLUSION 

We have given a rigorous interpretation of an origin of the security of Y-00. Although the classical randomness 
as key uncertainty is essential in Y-00, the security is given by quantum randomness. Directions to security 
analysis have been given in this paper and [6, 17]. The proof for the general attacks will be shown in the 
subsequent papers. However, in practical use, exponential complexity for known plaintext attack may be 
enough, which was already demonstrated by experiments. 
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